I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.

Hawkwing74 wrote:I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.

If you found a tool that is specifically made to remove the exact virus signiture that infected your system and it failed to desinfect, imo, the best place to ask questions would be on the developer's forum or online support. Personally i have tryed removing a simillar virus that redirected and prevented the user of the machine to connect to specific websites like www.microsoft.com. In that instance i thought i sucessfully removed it but after 4-5 hours the system became unresponsive and it locked the system. Even after countless reboots i couldn't get into Windows.....i was forced to reinstall the OS. Luckily it wasn't my machine.

nVidia video drivers FAIL, click for more infoDisclaimer: All answers and suggestions are provided by an enthusiastic amateur and are therefore without warranty either explicit or implicit. Basically you use my suggestions at your own risk.

I would enter safe mode and run Malware Bytes and MSE. After running those I would set your browsers to default settings, clear all cache and I might also add using the sfc /scannow command to make sure the essential Windows files aren't corrupted or replaced with malicious ones, if that command finds anything corrupted or changed and it shouldn't then it will replace the bad files with good ones.

Unless you are absolutely sure a tool will completely remove the exact version of whatever malware (which you have conclusively identified) there is only one sane option with a lot of today's nastier stuff:

Plug the drive in another computer, grab your critical files* then nuke from orbit.

(only things you have no backups or easy replacements for, otherwise not worth the risk they've been trojanized)

This one is a pain, but I have managed to remove it from a few computers. I don't really remember the exact stuff I used, but the above is my normal approach. I usually start combofix from safe mode administrator and let it reboot and take over from there.

Check the hard drive for a hidden tdlfs file system. Plug the HDD in to another machine or use Hiren's boot CD. It will be a very small (a few MBs) partition at the end of the drive. If it's there, format it and then delete it. After you do this you will need to replace the MBR with a default one and set the OS partition 'Active.'

After all this you should be able to boot windows and run TDSSKiller and MBAM to check for further infections.

If all the above mentioned methods did not completely remove it, it's most likely from the wireless router. I tried all the methods above and to my surprise it kept coming back, and it suddenly started showing up on a second laptop as well. So I decided to hard reset the wireless router, installed its latest firmware and flashed it to dd-wrt and I haven't had the problem since.

...also, after you hopefully will be done with this malware (whatever it is), you might want to invest some $$$ into good paid antivirus program which has better protection for system files/settings against changes/modifications by currently unknown malware (not gonna give any particular recommendation, it's up to YOU to test and see which one works best for your particular setup).

Last edited by JohnC on Wed Oct 03, 2012 9:14 pm, edited 1 time in total.

My subscription allows you people to exist on this site and makes me a better human being than you'll ever be

Captain Ned wrote:Listen to Hicks & Ripley. It's the only way to be sure.

..an internet is quite large "place", you can't nuke all of it

No, just the local infections.

Wordplay aside, I simply don't try to fix stubborn infections. I know I'm eventually going to get them no matter what prevention tools I employ (The day job always makes me tell people it's not if, it's when) so I regularly image the OS and keep weekly data backups. A lather, rinse, & repeat is down to a couple of hours of mild inconvenience and that's only because the storage drives are WD Greens.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people and eat out their substance.

Well, fixing stubborn, "unknown" infections can be a fun experience, and such knowledge will always be useful in the future as long as you won't completely transfer to non-Microsoft OS But yea, sometimes it's more productive to just wipe everything and start anew (or restore a backup image). Of course, that doesn't guarantee that you won't be re-infected again by same exact thing (or something equally annoying) if your computer is still connected to internets

My subscription allows you people to exist on this site and makes me a better human being than you'll ever be

Hawkwing74 wrote:I will refer to this thread again if it comes back. AVG must have been updated during the day, because as soon as I got to my PC AVG found it and quarantined. I haven't seen the redirect effect since.

Thanks for all the advice.

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

I just wanted to add, that I had a similar issue. I got rid of the infection using combofix and similar steps listed here but it was affecting my searches when using Google Chrome, not FireFox or IE. Turns out this installs an extension in Chrome called "default extension" (See Microsoft Security Encyclopedia article) Even when all my tools said there was no infection this extension remained and occasionally redirected searches. I had to dive in and delete the directory that contain the extension and haven't seen it come back.

I have continued to run frequent scans to check for re-infection and haven't seen it. Hope that helps.

steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

For Windows machines I use MSE + Malwarebytes.

For Linux I typically use nothing, or ClamAV if I am feeling particularly paranoid.

The years just pass like trains. I wave, but they don't slow down.-- Steven Wilson

steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

Well, I doubt that paying something like $40/year will have a serious dent on family budget... But, it's up to you. I've been recently trying out the new version (2013) of Kaspersky Antivirus... It seems to be pretty good so far - much better in terms of performance compared to previous versions (which were notorious for causing system "slow-downs" for some people), with more simple interface but still with plenty of configurable options (I especially like that I can set it to run auto-updates and other scheduled tasks only during "idle" and don't run them at all and don't bother me with any notifications if, for example, I currently have a game running in full-screen mode). Not sure about its detection rates (according to http://www.av-test.org it's very good) since I usually don't try to visit suspicious sites, but it did pop the warning once right after I have updated the "Planetside 2" client, about ps2.exe having a " potentially suspicious keylogger-like behavior" (which is somewhat valid, since it needs to submit your login information to PS2 login servers), I just marked it as "Exclusion" so it would never warn me about it again.

P.S: If you'll ever decide to pay for antivirus program (whatever it may be) - don't buy it directly from "official" site, there are plenty of stores (like Amazon and others) which sell the valid retail licenses/copies of same exact thing for much cheaper price. For example, Norton Antivirus costs $50 for a 1-year license at Symantec's own store, but it costs only $20 at Amazon (sold directly by Amazon) for same exact thing!

My subscription allows you people to exist on this site and makes me a better human being than you'll ever be

The popular free a/vs are AVG, Avira, Avast, and MSE. I've used all at one time or another and settled on MSE for now. The bleeping computer website http://www.bleepingcomputer.com/ is a good place to check for specific removal advice. They often have programs to restore things malware ruins such as lost desktop, programs won't run and so on. I think they are associated with Malwarebytes and rkill too.